I-Worm.Mydoom.b

Ads:

A modified version of the worm I-Worm.Mydoom.a. Distributed via the Internet as an attachment to infected messages, as well as file-sharing networks Kazaa.

The worm is a Windows (PE EXE-file) has a size of 29,184 bytes, packed using UPX and PE-Patch. The unpacked file is approximately 49KB.

The worm is activated only if a user opens the file and run the infected file (if you double-click on the attachment). Then the worm installs itself into the system and runs its spreading routine.

The worm contains a “backdoor” function, and is programmed to carry out DoS-attacks at microsoft.com .

Part of the virus body is encrypted.

The unpacked file is a text string:

(Sync-1.01; andy; I’m just doing my job, nothing personal, sorry)

Installation

After starting the worm runs Windows Notepad which shows an arbitrary set of symbols.

The worm copies itself to the name of “explorer.exe” in the Windows system directory and registers this file in the system registry:

[HKLM Software Microsoft Windows CurrentVersion Run]
[HKCU Software Microsoft Windows CurrentVersion Run]
“Explorer” = “% System% explorer.exe”

The worm creates a file in the Windows system directory “ctfmon.dll”, which is a “backdoor”-component (proxy) and also registers it in the registry:

[HKCR CLSID {E6FB5E20-DE35-11CF-9C87-00AA005127ED} InProcServer32]
“Apartment” = “% SysDir% ctfmon.dll”

Thus, this DLL will run as a child process Explorer.exe.

The worm also creates a file called “Body” in the system temporary directory (usually,% windir% temp). This file contains a random set of characters.

In order to identify its presence in the worm creates several additional keys in the registry:

[HKLM Software Microsoft Windows CurrentVersion Explorer ComDlg32 Version]
[HKCU Software Microsoft Windows CurrentVersion Explorer ComDlg32 Version]

For this purpose, during the operation, the worm creates a unique identifier “sync-v1.01__ipcmtx0″.

Mail Merge

Mail Merge function is identical to that used in embodiment Mydoom.a, with slight modifications.

Message body is chosen at random from the list:

The message cannot be represented in 7-bit ASCII encoding
and has been sent as a binary attachment

sendmail daemon reported: Error # 804 occured during SMTP session.
Partial message has been received

The message contains Unicode characters and
has been sent asa binary attachment.

The message contains MIME-encoded graphics and
has been sent as a binary attachment

Mail transaction failed. Partial message is available.

The worm may also send a letter with meaningless set of characters in the subject line, message body and attachment name.

Propagation via P2P

The worm checks the installed on the client Kazaa and copies itself to file-sharing under the following names:

NessusScan_pro
attackXP-1.26
winamp5
MS04-01_hotfix
zapSetup_40_148
BlackIce_Firewall_Enterpriseactivation_crack
xsharez_scanner
icq2004-final

with the expansion of the list:

bat
exe
scr
pif

Ads: